I suggest you ...

Allow opt-out from the recovery code

Some users don't want to use the recovery code feature as it just makes it easier for an attacker to gain access to their account. Let responsible users opt-out if they so choose. Don't force a controversial feature on all users.

The recovery code does not make it easier for an attacker to gain access to an account as long as you don’t write the recovery code down and store it in an insecure place. Unfortunately, some users spreaded false information about this feature to discredit Tutanota.

The recovery code was a feature requested by many users and it is the most secure account recovery that has ever been implemented.

To make it short: If you don’t trust the recovery code, you don’t trust Tutanota as it is based on the same strong cryptography that all other parts of Tutanota are also based on.

We removed the popup to ask for the recovery code from the next release, as probably all users that want the recovery code set it up already. See
github.com/tutao/tutanota/issues/880

The recovery code does not make it easier for an attacker to gain access to an account as long as you don’t write the recovery code down and store it in an insecure place. Unfortunately, some users spreaded false information about this feature to discredit Tutanota.

The recovery code was a feature requested by many users and it is the most secure account recovery that has ever been implemented.

To make it short: If you don’t trust the recovery code, you don’t trust Tutanota as it is based on the same strong cryptography that all other parts of Tutanota are also based on.

haven’t checked my email for a while, didn’t know about recovery code, trusted that i could still access my mail, but now app doesnt recognize my password and now im getting server connection emails. is this because of this recovery code. i can acess other web sites.

Why are you (Tutanota) not giving your users the option to opt-out? Its a basic principle of transparency - giving users a choice. Also good one for deleting half the comments from this thread, something Google would do

I would suggest opt-out being allowed, purely for psychological and marketing reasons.

I accept Tutanota's technical explanations about the recovery code. I have no reason to suspect a recovery code + password configuration is not as secure as a password-only configuration.

However, it's very difficult to grasp psychologically. There's one piece of advice given by Tutanota on reddit, that's logically flawless, but incredibly difficult to accept mentally : if you don't like our recovery code system, just set one and forget it. Just don't write it down, do as if it had never existed.

For non-tinfoil hat people, this is completely counter-intuitive and unsettling. For slightly paranoid people, and many Tutanota users are bound to belong to that category, it's a big red flag.

I believe people should be allowed to make their own choices, and risk losing their account by losing their password if they prefer it that way, and don't wish to set a recovery code.

Unless there's a compelling reason we don't know about, and then Tutanota should tell us about it.

i don't want a recovery mode, nor do i want to be constantly pestered to set one up. let me choose if i want one, or create one later but don't force me to have one. I expect this kind of annoying notification from microsoft office not my paid for Tutanota account

I don't get it. When I click "Später" I don't mean to be nagged about it again and again everytime I start the app. Bring it up in 14 days or a month, I may reconsider, depending on how you clean this mess up. Right now it makes me cancel my subscription simply because of the lack of reply to a crucial issue.

No crypto payments for four years and now a forced recovery code / backdoor. This is extremely disappointed, I thought Tutanota stood for freedom and liberty. I guess I should have known though with them being based in Germany, it's impossible for Germans to support liberty, privacy, and free speech.

Tutanota acting like a totalitarian nanny state who knows what's best for us and treating us like children who can't make our own decisions is a big turn off. I'm losing faith in Tutanota over this fiasco. Just listen to your users and add an opt-out. Not all users want to be forced to use it.

I can understand why some users would want a recovery feature. However, Tutanota shouldn't force the feature on users that don't want it. We don't need to be treated like children who need their hand held. We can make our own decision on whether or not we want to take the risk of enabling a recovery code like a responsible adult. Additionally, after all the rumors they really need to add an opt-out feature just to mitigate the perception that it was added for malicious purposes at the request of a government.